81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62

Analysis

Target

81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe
Size

495KB
MD5

23060ccfc90d21321420bda396ce8f8e
SHA1

69239688b9089a3ba073bf88e0fc60c9bbe0efcc
SHA256

81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62
SHA512

a45c413e5cba8e09c7f418af7c74070178c94acea4433ce240c0f8f1d961eab65dd52288a9b7dfbb479080486ba847b661cbcfe39bc9b7a209c91599f6b9424d

Score

1^/10

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	powershell.exe
3736	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	76
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	76
PID 3808 wrote to memory of 3556	3808	81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe	76
PID 3556 wrote to memory of 3736	3556	cmd.exe	78
PID 3556 wrote to memory of 3736	3556	cmd.exe	78
PID 3556 wrote to memory of 3736	3556	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe
"C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\81982f45f90c69f5fbdf0bb34273a99c1a9d1d8b1b51a307cb4b3dfa829bae62.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3736

memory/3736-142-0x0000000008060000-0x00000000086DA000-memory.dmp

Filesize
6.5MB

Download
memory/3736-141-0x0000000006800000-0x000000000681E000-memory.dmp

Filesize
120KB

Download
memory/3736-145-0x0000000006DD0000-0x0000000006DF2000-memory.dmp

Filesize
136KB

Download
memory/3736-144-0x0000000007A80000-0x0000000007B16000-memory.dmp

Filesize
600KB

Download
memory/3736-143-0x0000000006D00000-0x0000000006D1A000-memory.dmp

Filesize
104KB

Download
memory/3736-138-0x0000000005970000-0x0000000005F98000-memory.dmp

Filesize
6.2MB

Download
memory/3736-139-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/3736-137-0x00000000051F0000-0x0000000005226000-memory.dmp

Filesize
216KB

Download
memory/3736-140-0x0000000006010000-0x0000000006076000-memory.dmp

Filesize
408KB

Download
memory/3808-132-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/3808-130-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/3808-131-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/3808-134-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3808-133-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download